Reading credit cards with a tape head

A company called Square is giving out free credit card readers that turn any iPhone or iPad into a Point of Sale terminal. [Steve] got a hold of one of these tiny peripherals and did what any sane person would do: tear it apart and learn how it works. This bit of hardware is a little unimpressive; unsurprising because Square is giving them away. With simplicity comes an ease in understanding, and [Steve] was able to successfully read his own credit card with this tiny and free credit card reader.

[Steve]’s work in decoding credit card data builds off [Count Zero]’s article from the bbs days. Basically, each credit card has two or three tracks. Track three is mostly unused, whereas track one contains the card holder name, account number, cvc code and other ancillary data. Track two only contains the credit card number and expiration date.

The only components in the Square card reader are a head from a tape player and a 1/8″ microphone jack. The magnetic head in the Square card reader is positioned to only read track two. With a small shim, it’s possible to re-align the head to get the data from track one. After recording an audio file of him sliding his card though the Square reader, [Steve] looked at the number of times the waveform flipped from positive to negative. From this, he was able to get the 1s and 0s on the card and converted them to alphanumeric using the 6-bit ANSI/ISO alpha format.

[Steve] isn’t going to share the code he wrote for Android just yet, but it should be relatively easy to replicate his work with the Android tutorial he used. Also, yes, we did just pose the question of how these Square credit card readers work just hours ago. Good job being on the ball, [Steve]. Tips ‘o the hat go out to [Bobby], [Leif], [Derek] and anyone else we might have missed.

EDIT: [Stephen] sent in his teardown minutes after this post went live. Hackaday readers are too fast at this stuff.

Post navigation

103 thoughts on “Reading credit cards with a tape head”

I remember doing almost the same sort of thing with credit cards on Beta Max players back in the 80’s. You’d run the player and run the CC over the magnetic tape head and see the CC number show up on the screen. Can’t believe history repeats it’s self once again but only smaller.

This sounds a bit like that myth that if you taped a bit of betamax tape to the back of a credit card the ATM would spontaneously eject all of its cash, Superman III style. All my friends were doing that ;)

Actually, the human readable CVV2 (Visa), CVC2 (MC), CID (Disc/Amex) is not on the stripe, BUT there IS (usually) an embedded security code within the stripe data. It is used when the tracks are sent in for processing to validate the tracks. It would go in the “discretionary data” field on Track one just before the end sentinel.

There is one more component in the Square reader, which is a 5.2k resistor between the read head and mic line. I’ll put up another pic on the post which shows that.
And I DO plan on putting up the app, and the android library which makes it work. I just haven’t quite done it yet.

I’m not 100% certain of the value of mine. I’m no hardware guy. But I did try to measure it with a multimeter and got a value in agreement with what I thought I decoded the stripes to.
I wouldn’t be particularly surprised to find that the actual resistors used vary.

it is interesting that square has to “verify” your identity in order to get the reader. square is using https secure address but i just thought it was odd. why do they ask that i wonder. i ordered mine and will see what happens.

I don’t think most of you understand it..
If your going to use it for transactions they NEED to know who you are for tax purposes..

Shit, they have my full SSN and address, and right they should. Like any other credit card processor, Just as right paypal also has my SSN and address.

I feel bad for this little start-up though. They wanted to partner with paypal.. Instead paypal said no, then released the PayPal here! It’s the same device (just fancier looking) its also free (not in stores, yet) but you have to upgrade your paypal account to business class (also free, but your fees change)..

The idea was it’d be nicer and faster to get cash to your paypal account.

I wouldn’t say this IRL but I use mine for little cash-advances dirt cheap from my credit card..

I heard a story from our schools lab tech (an old ham operator and repairmen), he claims that when the magnetic swipe was being developed, one company made a set and gave it to some engineers and told that that if they can get the account information off of this magnetic strip they can have the money. The lab tech claims that every group got their money and the first group did this sort of hack using a tape deck.
It isn’t supprising. Remember the guys that were recording the numbers off the readers at the ATM in eastern europe. Credit cards are really not that secure.

well, the whole point of the credit card swipe IS NOT security but convenience/speed during transactions. it’s digitizing the old carbon paper credit card swipe. that’s why we still have raised numbers on the card, so they can be quickly swiped on carbon paper. in any case, the card # is right there on the front of the card.

I was at a conference a year or so ago, and Square reps walked around handing them out to every vendor/booth that would take them. Nobody kept them, so I ended up with 10 or so. Plan is to make a sort of musical instrument that generates sound based on the swiped data.

I dunno why it needs to be encrypted from the reader, it’s on the card in plaintext. Do the encrypting on the phone, using the extremely suitable hardware. If I can figure this out, who’s in charge at Visa?

I remember instructions for one of these, using a read and write tape head, an op-amp, and mounting it to a bit of wood, to make a simple hand-swiped card copier. Some old BBS doc, might’ve even been the Jolly Roger. ALL IN CAPS, APPLE ][ STYLE!

Not only that, but I thought they were trying to slowly kill off the mag-stripe, in favour of the much safer smart chips. Subject to a suitable port on the phone, a smart-card reader should be easier to make. Why not launch tiny little USB smartcard readers? There must be next to nothing in ’em.

The new standards from the Payment Card Industry are forcing a move to end-to-end encryption, regardless of the source of the data. This means that the data is AT LEAST protected in transit. I suspect that the Square application encrypts the data after it gets it from the head, and BEFORE it sends it to the network. That is a minimal requirement of the PCI DSS standards. They do NOT (yet) require the card data to be encrypted from the point of reading (head) to the computer application (smartphone program) as that is not considered a “network” connection. MagTek and others have created hardware that encrypts the data IN the head. That will be deployed over time. Eventually, it truly WILL be encrypted from head to network server.

Most ARM OSs use trustzone hardware isolation to handle the data.. You have to find holes in each manufacturers trustzone kernel to dump the protected memory and inject code.. Even non-TZ chips have a software isolation.

I’m talking about the major vendors, they have chip crypto that buffers over the audio API in to an isolated process that usus ARM TZ or Android jails. The key-data is all generated and passed within TrustZone which has hardware isolation.

reached reply depth, so the issue with this from back in 2012 was that you can snoop the audio/microphone traffic easily. I’m aware of TrustZone and how it works, but this wasn’t doing it. I still am not sure if the audio thats coming in is not snoopable, the solution for them was to add more encryption hardware to the square device, which meant if you can snoop it, its encrypted at the end.

The PayPal and Amazon reader have hardware crypto that protect MITM on the audio API. Trustzone and software-jails protect the decryption handler and key-data. These cheap reader-heads to jack readers don’t so TZ doesn’t matter there..

I was pretty interested in this when the readers were first interested. Buffer overflows are needed to dump TZ over the because of how “Secure Configuration Register (SCR)” handles things.

Or the nearly invisible passthru skimmers dropped over the actual “dip” style slot on ATMs which log cards used there and the skimmer doesn’t even need to be there. They have motorized rollers and detect and inhale the card just like the normal slot does, feeding it into the machine’s actual slot behind the “parasite”. Most of them use memories so they have to come back and get it, but no reason it couldn’t be wireless and remotely report the info so they could plant it and never return to the scene (info blasted to some untraceable SMS endpoint via burner phone account?). When numbers stop rolling in, go plant another. Hardware cost is no issue as the scammed info definitely buys the new parts once you invest in building one “skim bug” and get even a few. And it’s molded plastic so it really doesn’t look much different unless you pay attention to every curve and design detail on the mini-ATM at your gas station… not many people do, and they are all made with weird and nonsensical “whoops” and “waves” on the front anyhow so how would you know some weird ass slot thing is not supposed to be there, if it looks like the same plastic as the main case, and it didn’t feel all Playskool and hacky when you rammed your card in. Basically nobody finds them until maintenance comes out to refill or service.

I think a fun social experiment would be to make a R/W version of a parasitic slot skimmer that would read and log cards like usual, but then also write the previous users info on the way out. That way whoever used the ATM would end up with someone elses card cloned onto their stripe and be ‘scamming’ each other completely unknown and unaided. Musical credit cards! I bet companies would quit using stripes almost immediately then…

They didn’t ask for my full social only the last four, but… If they are giving you the power to accept credit cards for financial transactions there are probably certain reporting requirements consistent with the governments desire to hinder money laundering operations, ID theft, and other activities contrary to US law.

Idea: take the new one with battery, hack the electronics (or made a custom PCB) to record every swipe, let’s say it can store 3-4 card’s data. Add a button to toggle between “stored cards”(by number of presses) and automagically pass the data to the iDevice after 2 seconds…
Just passed my mind, don’t know how to continue.

The problem is those audio connectors can only output one head reading without a chip to queue SRAM or flash/eeprom stored buffers filled with each heads input. Plus the square reader only has a one-head-head so the part isn’t good for much anyway.

If you want to do it right and get all data from cards get one of the proto boards from here or the other make sites, and get a 3-head 3mm head off the net and write a firmware that sends the data over USB or does all the waveform to ASCII in firmware and allows download over USB.

State and country IDs use arbitrary encryption and signing. I think the primary magstripe ids have a reference number used on databases because lack of space. That encoded block on some is also encrypted.

I like europe cards because they have chip&pin and use browser plugins for verification to streamline auth.

There appears to be some confusion around what is and is not on a credit card.

There are two security features or keys if you like.

One is the CVC2 M/C or CVV2 Visa. This value is on the back of the card. It is the three digit value you input to make an Internet purchase.

On the magnetic stripe is the CVC1 M/C or CVV1 Visa value.

That is why the mag needs to be read. Once captured you use a “write” head to create a counterfeit card. Yes there is some value in capturing the visible information, but the value to create a counterfeit card lies embedded in the mag stripe.

Crooks can create hundreds of clone from a single swipe minutes or seconds after the card is swiped.

The original Square device allowed for a cheap and convenient way to steal the card mag. They put encryption on the device to prevent this.

So now the crooks have to purchase their card swlipers on eBay rather than get their swlipers for free from Square.

Didn’t read the link, but it makes sense you could just blast loud tones out the “headphones” into the swiper and get some DC power from that, enough to charge up a capacitor and then run long enough to do the swipe handling. Similar to how the RFID stuff uses near-field energy to power up (no battery).

is updated frequently with free advice about Google Ad –
Words strategy, tactics, tips tricks and techniques for success in Ad – Words advertising.
In addition, the observing surgeons could transmit their comments to
the operating surgeon, who could read them on the Google Glass
monitor. Reputation Defense Online an around the world Cyber
Investigation along with Litigation Assistance Agency for
Net Defamation, often receives inquiries from attorneys along
with law enforcement agencies on the way to subpoena
Google’s Legal Division.

By the way, there are tape heads out there that are like 2mmx2mmx1mm. This is what was used in that super stealthy skimmer that was in the news not long ago. Hard to source unless you destroy some $20 readers..

I wonder if you could use one of those microphone jack to cassette player adapters to supply your read head? I realize the head there is meant to “write” to the cassette player’s head but I imagine it ought to work both ways. Such adapters can be had at a dollar store for,… well, a dollar.

Hello folks,
So need your valuable suggestion,
When we inserts card in an ATM, it should be inserted only in a proper direction.
As ATM uses Fixed drive Mechanism.
Is their mechanism exists which can read the card independent of its direction?
What i am looking for is a Rotating Drive Mechanism.
Where the Read Head will automatically detect the Magnetic Strip position.